From 1aa51a816c1b1eaf886ac183f636e51b9ca5c507 Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Date: Wed, 24 Apr 2024 16:55:06 +0200
Subject: [PATCH] Add firewall rules for Ceph and monitoring

The firewall was blocking the monitoring traffic from hut and the Ceph
traffic among OSDs. The rules only allow connecting from the specific
host that they are supposed to be coming from.

Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
---
 m/bay/configuration.nix   | 10 ++++++++++
 m/lake2/configuration.nix |  8 ++++++++
 2 files changed, 18 insertions(+)

diff --git a/m/bay/configuration.nix b/m/bay/configuration.nix
index 70b71653..ac34f698 100644
--- a/m/bay/configuration.nix
+++ b/m/bay/configuration.nix
@@ -23,6 +23,16 @@
       address = "10.0.42.40";
       prefixLength = 24;
     } ];
+    firewall = {
+      extraCommands = ''
+        # Accept all incoming TCP traffic from lake2
+        iptables -A nixos-fw -p tcp -s lake2 -j nixos-fw-accept
+        # Accept monitoring requests from hut
+        iptables -A nixos-fw -p tcp -s hut -m multiport --dport 9283,9002 -j nixos-fw-accept
+        # Accept all Ceph traffic from the local network
+        iptables -A nixos-fw -p tcp -s 10.0.40.0/24 -m multiport --dport 3300,6789,6800:7568 -j nixos-fw-accept
+      '';
+    };
   };
 
   services.ceph = {
diff --git a/m/lake2/configuration.nix b/m/lake2/configuration.nix
index aacf5b93..934f6f78 100644
--- a/m/lake2/configuration.nix
+++ b/m/lake2/configuration.nix
@@ -45,6 +45,14 @@
       address = "10.0.42.42";
       prefixLength = 24;
     } ];
+    firewall = {
+      extraCommands = ''
+        # Accept all incoming TCP traffic from bay
+        iptables -A nixos-fw -p tcp -s bay -j nixos-fw-accept
+        # Accept monitoring requests from hut
+        iptables -A nixos-fw -p tcp -s hut --dport 9002 -j nixos-fw-accept
+      '';
+    };
   };
 
   # Missing service for volumes, see: